US7403620B2 - Cyphering/decyphering performed by an integrated circuit - Google Patents
Cyphering/decyphering performed by an integrated circuit Download PDFInfo
- Publication number
- US7403620B2 US7403620B2 US10/611,254 US61125403A US7403620B2 US 7403620 B2 US7403620 B2 US 7403620B2 US 61125403 A US61125403 A US 61125403A US 7403620 B2 US7403620 B2 US 7403620B2
- Authority
- US
- United States
- Prior art keywords
- cyphering
- random number
- block
- code
- blocks
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related, expires
Links
- 230000009466 transformation Effects 0.000 claims abstract description 65
- 238000000034 method Methods 0.000 claims abstract description 24
- 238000006467 substitution reaction Methods 0.000 claims description 36
- 230000000873 masking effect Effects 0.000 claims description 4
- 239000011159 matrix material Substances 0.000 description 35
- 230000006870 function Effects 0.000 description 13
- 239000000243 solution Substances 0.000 description 11
- 238000000844 transformation Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- PXFBZOLANLWPMH-UHFFFAOYSA-N 16-Epiaffinine Natural products C1C(C2=CC=CC=C2N2)=C2C(=O)CC2C(=CC)CN(C)C1C2CO PXFBZOLANLWPMH-UHFFFAOYSA-N 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 125000004122 cyclic group Chemical group 0.000 description 3
- 230000004075 alteration Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011144 upstream manufacturing Methods 0.000 description 2
- 239000008000 CHES buffer Substances 0.000 description 1
- MKWKNSIESPFAQN-UHFFFAOYSA-N N-cyclohexyl-2-aminoethanesulfonic acid Chemical compound OS(=O)(=O)CCNC1CCCCC1 MKWKNSIESPFAQN-UHFFFAOYSA-N 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000004061 bleaching Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000005314 correlation function Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000012886 linear function Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/04—Masking or blinding
- H04L2209/046—Masking or blinding of operations, operands or results of the operations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/08—Randomization, e.g. dummy operations or using noise
Definitions
- the present invention relates to the cyphering of digital data by means of algorithms intended to mask original data to make them undetectable by a possible pirate.
- the present invention more specifically relates to algorithms implementing a same transformation on different parts of the data to be coded.
- the cyphering/decyphering algorithms to which the present invention applies are generally executed by integrated circuits, either by means of state machines in wired logic, or by means of microprocessors executing a program in memory (generally a ROM). Such algorithms use secret keys specific to integrated circuits or to the user, which are exploited by the algorithm to code the data.
- AES Advanced Encryption Standard
- FIG. 1 illustrates in a simplified flowchart the main steps of a conventional AES-type algorithm. Only the cyphering will be described, the decyphering using the inverse transformations.
- This algorithm cyphers a word or code S 0 of a predetermined number of bits (generally, 128 bits) into another word or code S n of same size.
- the data to be cyphered are in fact formed of several words or codes resulting from a previous division of the data into words all having the same size.
- the cyphering and the decyphering are based on a secret key, the length of which (generally from 128 to 256 bits) conditions the cyphering security.
- each step of an AES-type algorithm processes a matrix of four lines and four columns representing a word and each element of which is a byte or block of the processed 128-bit code.
- each step to a state considered as being a matrix.
- 11 sub-keys each also comprised of 128 bits are first generated based on the secret key over 128 bits. More generally, based on a secret key of a number m of bits, n+1 sub-keys K 0 , . . . Ki, . . . Kn of m bits each are derived. These sub-keys are intended to be used by the algorithm as will be described hereafter in relation with FIG. 1 .
- the algorithm starts from an initial state (block 1 , STATE INIT) S 0 of the code or data word to be cyphered.
- a first phase of the cyphering process is a so-called “bleaching” operation (block 2 , ADDROUNDKEY) which consists of performing an XOR-type combination of initial state S 0 with first sub-key K 0 .
- a first intermediary state S 1 is obtained.
- a second phase of the cyphering process consists of performing several turns or cycles of a same transformation T involving, at each turn, the state S i ⁇ 1 , obtained at the preceding turn and a current sub-key Ki.
- the number of turns of transformation T corresponds to n ⁇ 1, that is, to the number of derived sub-keys, minus 2.
- FIG. 2 illustrates in more detail these four operations on a matrix 20 of four lines and four columns of binary bytes to which an AES-type algorithm applies.
- a first step (block 3 , SHIFTROWS) consists of performing a rotation on the last three lines of matrix 20 .
- First line 201 of matrix 20 is left unchanged.
- Second line 202 is rotated by one byte.
- Third line 203 is rotated by two bytes.
- Fourth line 204 is rotated by three bytes.
- a second step (block 4 , SUBBYTES) of a turn of transformation T is a non-linear transformation in which each byte of matrix 20 ′ forming the current state is replaced with its image taken from a substitution box (SBOX).
- substitution box SBOX is obtained by two successive transformations.
- a first transformation (block 41 , INV) consists of inverting the considered byte (the element of matrix 20 ′) in the finite body of order 2 8 (to correspond to the byte), byte 00 forming its own image. This inversion is followed by an affine transformation (block 42 , AFFINE).
- the third step (block 5 , MIXCOLUMNS) of the turn of transformation T consists of considering each column of matrix 20 ′′ resulting from the preceding step as a polynomial on the finite body of order 2 8 , and of multiplying each of these polynomials by a combination polynomial P[X] modulo a polynomial M[X].
- the last and fourth step of the turn of transformation T of rank i consists of applying sub-key Ki to matrix 20 ′′ of the previous state to obtain a matrix 20 ′′′, in which each element of matrix 20 ′′ has been combined by XOR, bit to bit, with sub-key Ki (block 6 , ADDROUNDKEY).
- Step 6 is the same as step 2 of the first cyphering phase, but performed with a different sub-key.
- the four steps of the turn transformation are repeated n ⁇ 1 times, that is, after step 6 , it is returned to step 3 to perform a new turn with a next key.
- the third phase of the cyphering algorithm ( FIG. 1 ) consists, in a way, in a last turn, slightly modified as compared to that illustrated in FIG. 2 .
- the steps of the turn transformation are reproduced except for the third one (MIXCOLUMNS). This amounts to successively performing steps 7 , 8 , and 9 corresponding to previously-described steps 3 , 4 , and 6 with, as the key for step 9 , the last sub-key Kn.
- Such an attack known as a DPA Differential Power Analysis
- a DPA Different Power Analysis
- a statistic correlation curve is established along time between the power consumption of the product for the message cyphering and an intermediary value calculated by the circuit.
- a known solution to make the algorithms more resistant against differential power analysis attacks of the integrated circuit consists of involving a random number in the execution of the algorithm.
- the use of a random value consists of masking the state at the beginning of the algorithm by this random value and of restoring the expected result at the end of the algorithm.
- FIG. 3 partially and very schematically illustrates a first known technique of introduction of a random number Rd in the execution of an AES-type algorithm.
- a bit-to-bit XOR type combination (block 12 , +) with a random number Rd is performed. This number is thus introduced before step 2 of combination with first sub-key K 0 .
- This random number Rd must then be taken into account at some stages of the algorithm.
- SUBBYTES non-linear transformation steps 4 and 8
- SBOX Rd substitution box taking the random number into account must be used.
- step 6 an XOR-type combination (block 13 , +) with number Rd must be performed. Moreover, after step 13 , the obtained result is combined (block 15 , +) by XOR with an amount MC(SR(Rd)) corresponding to the application of the row shifting SR (SHIFTROWS) and column mixing MC (MIXCOLUMNS) functions to number Rd.
- substitution box SBOX Rd for each byte of the state requires 16 boxes of 256 bytes, which amounts to 4 kilobytes of memory. Such a memory is far from being negligible when integrated, for example, in a smart card.
- FIG. 4 illustrates a second conventional solution to involve a random value in a cyphering algorithm of AES type. This solution is described in article “An implementation of DES and AES, secure against some attacks” by M. L. Akkar and C. Giraud, published at the CHES conference 2001 (Springer-Verlag editors).
- Second random value Rd 2 is introduced into the turns of the transformation, be it the n ⁇ 1 identical transformations T or the last transformation T′.
- a first transformation (block 241 , INV) consists of inverting each byte of the matrix resulting from step 25 . Then, the product (byte by byte modulo an irreducible polynomial) of initial state S i by the inverse (Rd 2 ⁇ 1 ) of the random value is added (XOR) to this inverse matrix (block 242 , +). The result is then multiplied (block 243 , X) by random value Rd 2 . There again, this is a polynomial multiplication. Finally, the last byte substitution step 24 of the matrix consists in an affine transformation 244 (AFFINE). At the end of step 24 , the resulting matrix is submitted to the step of addition of the corresponding sub-key (step 6 or 9 ).
- AFFINE affine transformation 244
- step 5 MIXCOLUMNS
- step 6 the step following step 24 is step 5 (MIXCOLUMNS).
- step 6 the obtained result is combined (block 26 , +) by XOR with value Rd 1 .
- the result of addition 26 is combined (block 27 ), still by XOR, with result (MC(AF(SR(Rd 1 )))) of the polynomial column mixing processing (MC) of affine transformation AF applied to the row shifting SR applied to value Rd 1 .
- step 9 the step following step 24 is step 9 with key Kn.
- the obtained result is combined (block 29 , +) by XOR with the result (AF(SR(Rd 1 ))) of affine transformation AF applied to row shifting SR applied to value Rd 1 .
- the output of block 29 provides the state to be set up by step 10 .
- the problem of the processing by a random number is essentially due to the fact that, in an algorithm of the type to which the present invention applies, the substitution operation is a non-linear operation.
- the present invention aims at providing a novel solution to the introduction of at least one random value in an AES-type cyphering algorithm which overcomes the disadvantages of known solutions. More generally, the present invention aims at providing the introduction of at least one random value in an algorithm submitting a code or input word, divided into blocks, several times to the same transformation (by a substitution matrix) with different keys.
- the present invention also aims at providing a solution which reduces the number of times that a substitution box must be calculated and/or stored.
- the present invention also aims at reducing the calculation time necessary to the execution of the algorithm after introduction of the random number.
- the present invention provides a cyphering/decyphering method, by an integrated circuit, of a digital input code by means of several keys, comprising:
- the operands being masked, upon execution of the method, by means of at least one first random number having the value of said code and all the blocks of which have the same size by combining, by an XOR-type function, the input and output blocks of the non-linear transformation with said random number.
- the input code is combined with a second random number of same dimension as the code.
- said non-linear transformation comprises using a box of substitution of the input code blocks, calculated with a third random number of same length as said code and all the blocks of which have the same value.
- said box respects the fact that the transformation of an input code, previously combined by XOR with the first random number, corresponds to the result of the combination by XOR of this input code with said third random number.
- the method is applied to an AES-type cyphering algorithm.
- said first random number is changed at each cyphering turn.
- said second random number is changed at each cyphering of new data.
- said third random number is changed at each cyphering turn.
- the present invention also provides an integrated circuit comprising a block for cyphering/deciphering by turn input data divided into blocks of same dimensions, comprising:
- FIG. 1 previously described, illustrates in a simplified flowchart a conventional cyphering method of the type to which the present invention applies;
- FIG. 2 previously described, illustrates the processings performed on a matrix state in a turn of a transformation of the method of FIG. 1 ;
- FIG. 3 shows the steps of a first conventional method of taking into account of a random number in a cyphering algorithm of the type illustrated in FIG. 1 ;
- FIG. 4 shows a second conventional solution of introduction of random numbers in a cyphering algorithm of the type shown in FIG. 1 ;
- FIG. 5 illustrates in a simplified flowchart an embodiment of a cyphering algorithm according to the present invention.
- FIG. 6 shows, in a simplified flowchart, an embodiment of a decyphering method according to the present invention.
- a random value having the same size as the state to be cyphered (the matrix) is used for the transformations processing several bytes at the same time or which mix them together, as is the case for transformations of column mixing, sub-key introduction, and row shifting type.
- this random value is not used for non-linear functions, such as those implemented for the byte substitution by a substitution box in the considered case.
- a substitution box is masked by another random value, the bytes of which (or more generally, the blocks of a size corresponding to the size of the blocks of the code taken into account in the substitution box) are all identical.
- a masking operation is efficient since, due to the complete masking of the functions operating over the entire block, it is not possible for a pirate to exploit this specificity through a correlation function.
- a pseudo-random value linked to this random value, is also used to mask the substitution box.
- FIG. 5 shows a flowchart of an implementation mode of an AES-type algorithm, masked by means of random and/or pseudo-random values according to the present invention.
- State S 0 corresponds to the code (data) to be cyphered by the algorithm.
- First step 41 comprises performing an XOR-type combination of state S 0 with a random value R having the same size as state S 0 (for example, 128 bits).
- a conventional step 32 of sub-key addition (block 32 , ADDROUNDKEY) by an XOR-type combination of first sub-key K 0 with the result of the preceding step is executed.
- the obtained state corresponds to state S i +R.
- the second phase of the cyphering method comprising executing n ⁇ 1 turns of a same transformation T is then entered.
- This transformation involves the steps of the conventional process (for example, AES) which are desired to be masked by at least one random value.
- these are row shifting step 33 (SHIFTROWS), step 34 (SUBBYTES) of byte substitution by means of a substitution box SBOX, column mixing step 35 (MIXCOLUMNS), and step 36 of XOR combination (ADDROUNDKEY) with sub-key Ki of rank i.
- the number (for example, 16) of bytes of each value corresponds to the number of bytes of a processed state (fore example, 128 bits).
- state SR(S i )+SR(R) is combined (block 42 ) with a value of same size (R 1 +SR(R)) corresponding to the application of the row shifting to random value R (SR(R)) combined, byte by byte, by XOR with random value R 1 .
- the state is masked by a value of same size, each byte of which has the same random value.
- Step 34 of byte-by-byte substitution by means of substitution box SBOX R1,R2 is then performed.
- This box is, according to the present invention, a function of value R 2 and is linked to value R 1 , respecting the following relation:
- SB(S i +R 1 ) SBOX(S i )+R 2 , where SBOX represents the substitution box of the algorithm that is desired to be masked and SB designates the byte substitution function (SUBBYTES).
- SUBBYTES byte substitution function
- step 34 To the result (SB(SR(S i ))+R 2 ) of step 34 which corresponds to a state masked by value R 2 (each byte of the matrix is masked by a byte of same value), an XOR-type combination is applied (block 43 ) with XOR combination R 2 +R (byte by byte) of the value R over 128 bits and of byte R 2 .
- step 44 ends with step 44 at the end of which, according to rank i, it is returned to step 33 for a new iteration, or it is proceeded to step row shifting 37 (SHIFTROWS) of the last transformation T′.
- the present invention comprises interposing, between some steps of the algorithm, the execution of which is desired to be masked by random values, logic combinations of the matrixes processed by values R 1 and R 2 .
- the transformation by substitution matrix 38 is identical to that described in relation with step 34 , but framed by combinations 45 and 46 . These combinations are identical to previously-described combinations 42 and 43 , upstream and downstream of transformation 34 .
- An advantage of the present invention is that quantities R 1 and R 2 as well as substitution box SBOX can be recalculated at each turn T of the cyclic transformation or at each cyphering or decyphering of the input data by the complete algorithm.
- Another advantage of the present invention is that a memory corresponding to twice the matrix to be processed is sufficient to store the new substitution boxes (the old one and the new one) since said matrixes are combined with a random value, the size of which corresponds to that of an element of the matrix.
- FIG. 6 shows, in the form of a simplified flowchart, an embodiment of an algorithm for decyphering data Sn according to the present invention.
- the decyphering resumes the steps inverse of those of the cyphering except for the step of introduction of the keys or sub-keys Ki, which are performed in the reverse order.
- the initial state (block 51 , STATE INIT) here corresponds to a cyphered or encrypted state (S n ) of the data.
- the initial state is first combined (block 61 ) with a random quantity R having the same size as the initial data. Then, the obtained state S n +R is combined (block 52 , ADDROUNDKEY) with the sub-key Kn which corresponds to the last portion of the cyphering key (in this example, the last byte). The obtained state S n ⁇ 1 +R is then submitted to n ⁇ 1 cycles of a same decyphering transformation taking into account at each turn a sub-key Ki of lower rank.
- steps 57 , 58 , and 59 inverse of cyphering steps 37 , 38 , and 39 and corresponding to the conventional steps of the decyphering method are successively applied, interposing the same combination steps 65 , 66 , and 67 as upon cyphering.
- the present invention is likely to have various alterations, modifications, and improvements which will readily occur to those skilled in the art.
- the present invention which has been described hereabove in relation with the AES-type cyphering algorithm may be transposed to any cyphering algorithm, the input code of which is divided into blocks of identical sizes to be ciphered, each block being submitted to a same non-linear transformation.
- the adaptation of the present invention and of the sizes of the random quantities and of the used keys is within the abilities of those skilled in the art. It will be ascertained to respect a number of sub-keys corresponding to the numbers of turns and a size of random quantity R corresponding to the size of the sub-keys, and thus of the blocks. Moreover, the numbers indicated as being random numbers may originate from a pseudo-random generator.
- a specific example of application of the present invention relates to the implementation of an AES-type cyphering/decyphering algorithm in a smart card.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR02/08268 | 2002-07-02 | ||
FR0208268 | 2002-07-02 |
Publications (2)
Publication Number | Publication Date |
---|---|
US20040028224A1 US20040028224A1 (en) | 2004-02-12 |
US7403620B2 true US7403620B2 (en) | 2008-07-22 |
Family
ID=29720074
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/611,254 Expired - Fee Related US7403620B2 (en) | 2002-07-02 | 2003-07-01 | Cyphering/decyphering performed by an integrated circuit |
Country Status (3)
Country | Link |
---|---|
US (1) | US7403620B2 (fr) |
EP (1) | EP1379023B1 (fr) |
DE (1) | DE60314055T2 (fr) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050232430A1 (en) * | 2004-04-16 | 2005-10-20 | Gebotys Catherine H | Security countermeasures for power analysis attacks |
US20090097639A1 (en) * | 2007-10-10 | 2009-04-16 | Canon Kabushiki Kaisha | Aes encryption/decryption circuit |
US20090285398A1 (en) * | 2008-05-16 | 2009-11-19 | Stmicroelectronics (Rousset) Sas | Verification of the integrity of a ciphering key |
EP2159952A1 (fr) * | 2008-08-28 | 2010-03-03 | STMicroelectronics (Rousset) SAS | Protection d'un algorithme de chiffrement |
US20100100748A1 (en) * | 2005-06-29 | 2010-04-22 | Koninklijke Philips Electronics, N.V. | Arrangement for and method of protecting a data processing device against an attack or analysis |
US20100287384A1 (en) * | 2005-06-29 | 2010-11-11 | Koninklijke Philips Electronics, N.V. | Arrangement for and method of protecting a data processing device against an attack or analysis |
US20110138182A1 (en) * | 2008-08-19 | 2011-06-09 | Nxp B.V. | Method for Generating a Cipher-based Message Authentication Code |
US8184806B2 (en) | 2004-05-24 | 2012-05-22 | Research In Motion Limited | Table masking for resistance to power analysis attacks |
US20120163585A1 (en) * | 2010-12-22 | 2012-06-28 | Electronics And Telecommunications Research Instittute | Masking addition operation device for prevention of side channel attack |
US9497021B2 (en) | 2009-08-27 | 2016-11-15 | Nxp B.V. | Device for generating a message authentication code for authenticating a message |
US20170063523A1 (en) * | 2015-09-02 | 2017-03-02 | Stmicroelectronics (Rousset) Sas | Dpa protection of a rijndael algorithm |
US10187198B2 (en) * | 2015-09-02 | 2019-01-22 | Stmicroelectronics (Rousset) Sas | Protection of a rijndael algorithm |
US10243728B2 (en) | 2015-09-02 | 2019-03-26 | Stmicroelectronics (Rousset) Sas | Verification of the resistance of an electronic circuit to side-channel attacks |
US11256478B2 (en) * | 2017-06-28 | 2022-02-22 | Thales Dis France Sa | Method for securing a cryptographic process with SBOX against high-order side-channel attacks |
Families Citing this family (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2820576B1 (fr) * | 2001-02-08 | 2003-06-20 | St Microelectronics Sa | Procede de cryptage protege contre les analyses de consommation energetique, et composant utilisant un tel procede de cryptage |
FR2820577B1 (fr) * | 2001-02-08 | 2003-06-13 | St Microelectronics Sa | Procede securise de calcul cryptographique a cle secrete et composant mettant en oeuvre un tel procede |
DE10345454A1 (de) * | 2003-09-30 | 2005-04-28 | Infineon Technologies Ag | Wortindividuelle Schlüsselerzeugung |
KR100585119B1 (ko) * | 2004-01-07 | 2006-06-01 | 삼성전자주식회사 | 암호화 장치, 암호화 방법 및 그 기록매체 |
DE602004023436D1 (de) * | 2004-03-29 | 2009-11-12 | St Microelectronics Sa | Prozessor zum ausführen eines aes algorithmus |
EP1601132B1 (fr) * | 2004-05-24 | 2006-11-15 | Research In Motion Limited | Masquage de table pour résister aux attaques par analyse de puissance |
DE602005009439D1 (de) * | 2004-07-06 | 2008-10-16 | Proton World Int Nv | Stromverschlüsselung des Inhalts eines Speichers, welcher ausserhalb eines Prozessors angeordnet ist |
EP1615369A1 (fr) * | 2004-07-06 | 2006-01-11 | Proton World International N.V. | Chiffrement par blocs du contenu d'une mémoire externe à un processeur |
JP4589327B2 (ja) * | 2004-07-07 | 2010-12-01 | 三菱電機株式会社 | 電子素子及びデータ処理方法 |
FR2879383A1 (fr) * | 2004-12-14 | 2006-06-16 | St Microelectronics Sa | Masquage de mots binaires traites par un circuit integre |
US9191198B2 (en) * | 2005-06-16 | 2015-11-17 | Hewlett-Packard Development Company, L.P. | Method and device using one-time pad data |
US8036379B2 (en) * | 2006-03-15 | 2011-10-11 | Microsoft Corporation | Cryptographic processing |
FR2899751B1 (fr) * | 2006-04-10 | 2008-07-04 | Oberthur Card Syst Sa | Procede de traitement cryptographique de donnees, dispositif et programme associes |
FR2941342B1 (fr) * | 2009-01-20 | 2011-05-20 | Groupe Des Ecoles De Telecommunications Get Ecole Nat Superieure Des Telecommunications Enst | Circuit de cryptographie protege contre les attaques en observation, notamment d'ordre eleve. |
US8675866B2 (en) * | 2011-07-07 | 2014-03-18 | Apple Inc. | Multiplicative splits to protect cipher keys |
US8958550B2 (en) * | 2011-09-13 | 2015-02-17 | Combined Conditional Access Development & Support. LLC (CCAD) | Encryption operation with real data rounds, dummy data rounds, and delay periods |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0981223A2 (fr) | 1998-08-20 | 2000-02-23 | Kabushiki Kaisha Toshiba | Dispositif de chiffrage/déchiffrage |
WO2000041356A1 (fr) | 1998-12-30 | 2000-07-13 | Koninklijke Kpn N.V. | Procede et dispositif de traitement cryptographique de donnees |
EP1109350A1 (fr) | 1999-12-15 | 2001-06-20 | Sagem Sa | Dispositif mettant en oeuvre un algoritme de chiffrage par bloc à répétition de rondes |
US20030223580A1 (en) * | 2002-05-23 | 2003-12-04 | Snell Dorian L. | Advanced encryption standard (AES) hardware cryptographic engine |
-
2003
- 2003-07-01 US US10/611,254 patent/US7403620B2/en not_active Expired - Fee Related
- 2003-07-02 EP EP03300046A patent/EP1379023B1/fr not_active Expired - Fee Related
- 2003-07-02 DE DE60314055T patent/DE60314055T2/de not_active Expired - Lifetime
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0981223A2 (fr) | 1998-08-20 | 2000-02-23 | Kabushiki Kaisha Toshiba | Dispositif de chiffrage/déchiffrage |
WO2000041356A1 (fr) | 1998-12-30 | 2000-07-13 | Koninklijke Kpn N.V. | Procede et dispositif de traitement cryptographique de donnees |
EP1109350A1 (fr) | 1999-12-15 | 2001-06-20 | Sagem Sa | Dispositif mettant en oeuvre un algoritme de chiffrage par bloc à répétition de rondes |
US20030223580A1 (en) * | 2002-05-23 | 2003-12-04 | Snell Dorian L. | Advanced encryption standard (AES) hardware cryptographic engine |
Non-Patent Citations (5)
Title |
---|
Akkar, M.L. et al., An Implementation of DES and AES, Secure Against Some Attacks, Cryptographic Hardware and Embedded Systems, 3<SUP>rd </SUP>International Workshop, Ches 2001, Paris, France, May 14-16, 2001 Proceedings, Lecture Notes in Computer Science, Berlin: Springer, DE, vol. 2162, 2001 pp. 309-318, XP008002641. |
French Preliminary Search Report from French priority application No. 0208268, filed Jul. 2, 2002. |
Joan Daemen and Vincent Rijmen, AES Proposal; Rihndael, Mar. 9, 1999, retrieved date Jun. 25, 2006. * |
Kocher, P. et al., Differential Power Analysis, Conference Crypto, 1999, pp. 388-397 XP000279852. |
Thomas S. Meeserges, Securing the AES Finalists Against Power Analysis Attacks,B. Schneier (Ed) pp. 150-164, 2001□□Retrieved date Jun. 25, 2006. * |
Cited By (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050232430A1 (en) * | 2004-04-16 | 2005-10-20 | Gebotys Catherine H | Security countermeasures for power analysis attacks |
US8638944B2 (en) | 2004-04-16 | 2014-01-28 | Blackberry Limited | Security countermeasures for power analysis attacks |
US8325928B2 (en) | 2004-04-16 | 2012-12-04 | Research In Motion Limited | Security countermeasure for power analysis attacks |
US7899190B2 (en) * | 2004-04-16 | 2011-03-01 | Research In Motion Limited | Security countermeasures for power analysis attacks |
US8184806B2 (en) | 2004-05-24 | 2012-05-22 | Research In Motion Limited | Table masking for resistance to power analysis attacks |
US20100100748A1 (en) * | 2005-06-29 | 2010-04-22 | Koninklijke Philips Electronics, N.V. | Arrangement for and method of protecting a data processing device against an attack or analysis |
US20100287384A1 (en) * | 2005-06-29 | 2010-11-11 | Koninklijke Philips Electronics, N.V. | Arrangement for and method of protecting a data processing device against an attack or analysis |
US8738927B2 (en) | 2005-06-29 | 2014-05-27 | Irdeto B.V. | Arrangement for and method of protecting a data processing device against an attack or analysis |
US9191197B2 (en) * | 2007-10-10 | 2015-11-17 | Canon Kabushiki Kaisha | AES encryption/decryption circuit |
US20090097639A1 (en) * | 2007-10-10 | 2009-04-16 | Canon Kabushiki Kaisha | Aes encryption/decryption circuit |
US20090285398A1 (en) * | 2008-05-16 | 2009-11-19 | Stmicroelectronics (Rousset) Sas | Verification of the integrity of a ciphering key |
US8848917B2 (en) * | 2008-05-16 | 2014-09-30 | Stmicroelectronics (Rousset) Sas | Verification of the integrity of a ciphering key |
US20110138182A1 (en) * | 2008-08-19 | 2011-06-09 | Nxp B.V. | Method for Generating a Cipher-based Message Authentication Code |
KR101324351B1 (ko) | 2008-08-19 | 2013-11-01 | 엔엑스피 비 브이 | 암호 기반 메시지 인증 코드를 생성하는 방법 |
US8635452B2 (en) * | 2008-08-19 | 2014-01-21 | Nxp B.V. | Method for generating a cipher-based message authentication code |
US8582757B2 (en) | 2008-08-28 | 2013-11-12 | Stmicroelectronics (Rousset) Sas | Protection of a ciphering algorithm |
FR2935503A1 (fr) * | 2008-08-28 | 2010-03-05 | St Microelectronics Rousset | Protection d'un algorithme de chiffrement |
EP2159952A1 (fr) * | 2008-08-28 | 2010-03-03 | STMicroelectronics (Rousset) SAS | Protection d'un algorithme de chiffrement |
US20100054460A1 (en) * | 2008-08-28 | 2010-03-04 | Stmicroelectronics (Rousset) Sas | Protection of a ciphering algorithm |
US9497021B2 (en) | 2009-08-27 | 2016-11-15 | Nxp B.V. | Device for generating a message authentication code for authenticating a message |
US8774406B2 (en) * | 2010-12-22 | 2014-07-08 | Electronics And Telecommunications Research Institute | Masking addition operation device for prevention of side channel attack |
US20120163585A1 (en) * | 2010-12-22 | 2012-06-28 | Electronics And Telecommunications Research Instittute | Masking addition operation device for prevention of side channel attack |
US20170063523A1 (en) * | 2015-09-02 | 2017-03-02 | Stmicroelectronics (Rousset) Sas | Dpa protection of a rijndael algorithm |
US10187198B2 (en) * | 2015-09-02 | 2019-01-22 | Stmicroelectronics (Rousset) Sas | Protection of a rijndael algorithm |
US10210776B2 (en) * | 2015-09-02 | 2019-02-19 | Stmicroelectronics (Rousset) Sas | DPA protection of a rijndael algorithm |
US10243728B2 (en) | 2015-09-02 | 2019-03-26 | Stmicroelectronics (Rousset) Sas | Verification of the resistance of an electronic circuit to side-channel attacks |
US11256478B2 (en) * | 2017-06-28 | 2022-02-22 | Thales Dis France Sa | Method for securing a cryptographic process with SBOX against high-order side-channel attacks |
Also Published As
Publication number | Publication date |
---|---|
DE60314055T2 (de) | 2008-01-24 |
US20040028224A1 (en) | 2004-02-12 |
EP1379023B1 (fr) | 2007-05-30 |
DE60314055D1 (de) | 2007-07-12 |
EP1379023A1 (fr) | 2004-01-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7403620B2 (en) | Cyphering/decyphering performed by an integrated circuit | |
US7295671B2 (en) | Advanced encryption standard (AES) hardware cryptographic engine | |
CN101006677B (zh) | 用于实施加密运算的方法和装置 | |
US11546135B2 (en) | Key sequence generation for cryptographic operations | |
US8102997B2 (en) | Processor for executing an AES-type algorithm | |
US8094816B2 (en) | System and method for stream/block cipher with internal random states | |
US10243728B2 (en) | Verification of the resistance of an electronic circuit to side-channel attacks | |
US10210776B2 (en) | DPA protection of a rijndael algorithm | |
US10187198B2 (en) | Protection of a rijndael algorithm | |
US20120170739A1 (en) | Method of diversification of a round function of an encryption algorithm | |
US9565018B2 (en) | Protecting cryptographic operations using conjugacy class functions | |
US10819502B2 (en) | Method for symmetric block encryption or decryption | |
KR20050078271A (ko) | 저전력 고속 동작을 위한 하드웨어 암호화/복호화 장치 및그 방법 | |
US8582757B2 (en) | Protection of a ciphering algorithm | |
EP1419436B1 (fr) | Appareil et procédé d'exécution d'un algorithme cryptographique | |
EP1629626B1 (fr) | Procede et appareil pour une implementation de la fonction d'extension de cle a faible utilisation de l'espace memoire | |
US20220414268A1 (en) | Protection of data processed by an encryption algorithm | |
JP2005529365A (ja) | Aesミックスカラム変換 | |
Okazaki et al. | Formal Verification of AES Using the Mizar Proof Checker | |
ManjulaRani et al. | An Efficient FPGA Implementation of Advanced Encryption Standard Algorithm on Virtex-5 FPGA’s | |
Anjali et al. | Efficient Area and High Speed Advanced Encryption Standard Algorithm | |
Imran et al. | An optimized hardware implementation of Advanced Encryption Standard (AES-192) | |
KR20050019086A (ko) | 진보된 암호화 표준(aes)의 하드웨어 암호 엔진 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: STMICROELECTRONICS,S.A., FRANCE Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LIARDET, PIERRE-YVAN;ROMAIN, FABRICE;TAGLIA, YANNICK;AND OTHERS;REEL/FRAME:014284/0282 Effective date: 20030619 |
|
CC | Certificate of correction | ||
FPAY | Fee payment |
Year of fee payment: 4 |
|
REMI | Maintenance fee reminder mailed | ||
LAPS | Lapse for failure to pay maintenance fees | ||
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20160722 |